What is Network Segmentation?
Network segmentation is a strategy used to segregate and isolate segments in the enterprise network to reduce the attack surface.
However, given today’s data centers, with the explosion of users and the dynamics of applications and resources, security strategies involve moving the perimeter closer to the resource than it was in the ‘castle and moat’ strategy.
Network segmentation is one of the core concepts in a Zero Trust security strategy, along with identities, based on the NIST SP 800-207 Zero Trust framework.
Traditional network segmentation, also known as macro-segmentation, is usually achieved using internal firewalls and VLANs. In microsegmentation, the perimeter and security controls are moved closer to the resource (e.g. workload or a 3-tier application), creating secure zones. Network macro/microsegmentation is primarily executed to limit the East-West traffic across the data center and prevent/slow-down the lateral movement by attackers.
Network macro/microsegmentation can be achieved with:
- Hardware firewalls (e.g. internal segmentation firewalls) – the traffic flow to the zones or segments being governed by firewall rules
- VLANs and access control lists (ACLs) – filter access to networks/subnets
- Software defined perimeter (SDP) – moves the perimeter closer to the host providing a virtual boundary; enables granular policy controls at the workload level
The Network Macrosegmentation Approach – Pros and Cons
Resource access policies defined through firewall rules, VLAN/ACLs and VPNs are static and focus only on ingress and egress traffic. These policies are rigid and cannot scale up or adapt to dynamic hybrid environments and dynamic secure access requirements that have moved beyond static perimeters.
|One of the oldest and widely adopted method of segmentation - predates Zero Trust||VLANs and firewalls create multiple chokepoints in the network - negatively affects network performance and business productivity (high friction)|
|Familiar hardware firewalls to control both East-West and North-South traffic||Thousands of firewall rules and VLAN/ACLs quickly become a management and security nightmare (complex, prone to human errors)|
|Expensive to scale up with hardware investment and personnel costs|
|Complex to achieve centralized visibility on-premises and clouds|
|What works for on-premises doesn’t work on clouds (visibility & security gaps – large attack surface)|
|Complex to achieve granular policies – no security context|
|Policies are rigid – doesn’t adapt to dynamic environments or sudden shift in business models (e.g. remote workforce, mergers & acquisitions, divestiture)|
|Vendor lock-in becomes a overhead|
The Network Microsegmentation Approach – Pros and Cons
The perimeter is moved closer to the resource, and security controls are applied at the individual host.
|Platform and infrastructure independent||Will need agents on every endpoint, workload or hypervisor/virtual machines|
|Context-based security controls with granular policies||Though fine-grained policies are an advantage, the sheer number of policies that need to be created and managed across thousands of resources, user groups, zones (microsegments) and applications is overwhelming|
|Unified platform||90% of the traffic is encrypted, requiring resource-intensive SSL/TLS decryption for full visibility, dramatically increasing processing requirements and therefore the cost to implement and operationalize this segmentation.|
|Need to be completely aware of the entire data center architecture – what’s changing, what’s new and what are the gaps – to start thinking of policies that don’t break business productivity (e.g. scenarios: the sudden shift to remote work, and what happens when employees return post the pandemic? How will the architecture/topology change and how will the policies be affected and what are the ‘new’ gaps?)|
|Minimal or lack of threat detection + prevention - Need separate tools and integration for threat intelligence, detection and prevention?|
The network-centric segmentation approach, with either macrosegmentation or microsegmentation, clearly has its pros and cons. Network segmentation has a lot of moving parts: hardware firewalls, software-defined perimeters, additional controls and tools for multi-cloud infrastructure, and several resource access policies that need to be managed and updated to keep up with attacks and the evolving threat landscape.
Shifting Gears: From Network Segmentation to Identity Segmentation
Though network segmentation reduces the attack surface, this strategy does not protect against adversary techniques and tactics in the identity phases in the kill chain. The method of segmentation that provides the most risk reduction, at reduced cost and operational complexity, is identity segmentation.
Protecting identities significantly reduces the risks of breaches from modern attacks, such as ransomware and supply chain threats, in which compromised credentials are a key factor. According to the Cost of a Data Breach 2021 Report by IBM and the Ponemon Institute, compromised or stolen user credentials were the most common root cause of breaches in 2021 and also took the longest time — an average of 250 days — to identify
This is where CrowdStrike’s identity segmentation helps to significantly limit the attack surface by isolating and segmenting identities — providing immediate value, as the majority of breaches leverage user credentials.
Unfamiliar with identity segmentation?
Learn what identity segmentation is and what it isn’t, and download the white paper below to understand how identity segmentation differs from network segmentation.